Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefano_Cappell
Participant

Is this a Legitimate "fist packet isn't SYN drop"?

We have this transaction that, in this example, startsat 11:00. At 11.02 the remote server tries to close it sending the FIN but the local server tries to close it only half an hour later (at 11.30). This FIN packet gets retransmitted  but no ack is sent by the remote server. At last the local server sends a RST

2020-10-22 15_08_23-poller - 172.20.3.2 - Connessione Desktop remoto.png

 My problem here is that those Resets (and sometimes some final FIN ACK packet as well) get blocked by our Checkpoint as a "first packet isn't SYN"

 

2020-10-22 15_04_42-poller - 172.20.3.2 - Connessione Desktop remoto.png

 

Is this legitimate? the tcp session timeout configured for the firewall is 3600. Is this because those packet are past both side FIN packet and the TCP end timeout is set (by default) at 5 seconds?

thanks  

 

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Seems legit to me, as FIN would start the TCP end timer and remove it from the main connection table.
As such, it would see that FIN packet 28 mins later as a “new” connection, thus you get the message.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events